Can the cloud really keep a (government) secret?
The federal government has adopted a policy of moving as many agencies' IT activities as practical into the cloud, a policy that the National Security Telecommunications Advisory Committee -- at the risk of stating the obvious -- calls a paradigm shift.
"As with any technology paradigm shift, issues such as how the new technologies are used, security, policy, and oversight must be considered when weighing the benefits of adopting the new paradigm," NSTAC wrote in its recent Report to the President on Cloud Computing.
The central question addressed in the report, released in May, is can critical national security and emergency preparedness (NS/EP) processes be migrated safely to the cloud? The answer is yes, but with caveats.
In the cloud, security is easy, perfection is impossible
NIST guide tackles security challenges of public cloud computing
"Conceivably any NS/EP process, including the most sensitive matters, could be moved to ‘some kind of' cloud, given proper attention to architectural and security decisions," the committee concluded.
That does not mean that every process should be moved to the cloud, of course. Agencies must decide what to move and what security controls they will need to have in place. The Federal Cloud Computing Strategy released in 2011 estimated that one quarter of federal IT spending, about $20 billion, could be migrated to the cloud.
The NSTAC report helps identify likely candidates for cloud migration by ranking and prioritizing various mission-critical functions based on the relative benefits of the migration. Ultimately, each agency will have to decide its own comfort level in this migration, said Douglas Greise, a principal at the Veris Group, which has been accredited to assess the security of cloud service providers.
Whatever is being moved to the cloud, it will require additional effort and attention from the agency.
"The goal is to reduce complexity and expense and to shut down where possible," Ken Ammon, chief strategy officer for Xceedium, said of the cloud initiative. But any major shift in operations will require testing and time for transitioning before legacy systems can be retired. So in the short run while things are in transition, the shift could mean increased complexity.
That leaves the question of what constitutes adequate security controls? At one level, the answer is simple. Both NSTAC and service providers agree that the cloud requires the same safeguards as agencies are providing on their own systems.
"The expectations of your cloud vendor shouldn't be any different from what you were hosting in your basement," said Francis Trentley, senior service line director for Akamai Public Sector and former CIO for White House Communications.
At a practical level, determining appropriate security becomes much more complex. At the core of cloud security requirements for government are the Federal Risk and Authorization Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA).
FedRAMP is an effort to help both agencies and vendors by establishing a blanket certification and accreditation program that will ensure that cloud service providers meet the basic requirements of FISMA. With the potentially large number of operations that could be moved to the cloud, the certification and accreditation process could quickly become bogged down in unmanageable expense and complexity if done on an agency-by-agency, vendor-by-vendor basis.
NSTAC has published a separate 240-page appendix of security controls that agencies should consider when making cloud decisions.
Few service providers can now meet the entire laundry list of requirements, but NSTAC is confident that they are achievable. "While not in place today, the needed ‘comparable' NS/EP-support regime of policy, legal, security and other considerations can be both defined and implemented," the authors wrote.
Even though FedRAMP requirements provide only a baseline of security controls for cloud service providers, passing muster is not necessarily an easy task. It will demand significant time and resources for companies seeking authorization to provide government services.
"The biggest hurdle is that it's a new program and expectations are not real clear," said Dave Svec, a principal at Veris Group. "There will have to be a lot of learning up front."
Veris is among the first generation of companies accredited by the General Services Administration as a third-party assessment organization, or 3PAO, that will be certifying service providers for FedRAMP. It will interview company officials, examine documentation of security programs and controls, and perform onsite and remote testing of those controls.
"It's an assessment of the current security status at one point in time," Veris Group's Greise said.
As of this writing no providers have been certified. The FedRAMP program has achieved initial operating capability and still is in the process of ramping up.
The degree of difficulty in becoming certified will depend in part on how familiar companies are with the FISMA requirements underlying FedRAMP. If a company has experience in the government market, it is more likely to have a mature security model. "If they have been a strictly commercial business, they might not have a good understanding of FISMA requirements," Greise said and added that FedRAMP certification might be more difficult.
Several service providers have begun the certification process, and although Veris warns that it could be a daunting challenge for small and even for mid- and large-size companies, it is expected that the first class of two to four providers will be certified by the end of the year.
"We are going to be one of the first ones through the FedRAMP certification," Akamai's Trentley predicted.
Akamai is a content delivery company that moves customers' public content to a global network of servers, bringing content closer to end users and removing much of the customer enterprise from the delivery process. It is in the certification process now and is taking advantage of the fact that it already is doing business with government.
"They all use us," Trentley said referring to cabinet-level agencies. The company is leveraging the certifications and accreditations it already has received from individual agencies to pass FedRAMP. "We're going through it one more time for everybody," he said.
From Akamai's point of view, the logical first candidates to be moved to the cloud are public content and services. As online delivery of services grows, these functions are important to agency missions. At the same time the information they contain, although it might sometimes be sensitive, is rarely classified and not critical to operations.
"Moving public targets to a public cloud makes sense," Trentley said. "Public-facing apps can live easily in the cloud with proper controls and management."
Relying on a content delivery service can provide improved reliability and resiliency by putting content in a distributed system that can handle spikes in demand; also, it's more difficult to target with a denial of service attack and can help improve security for the rest of the enterprise by separating public from internal operations, Trentley said.
"I can get the public off your infrastructure," he said. "That's a huge space you've made on your plate," freeing up resources for other security issues.
FedRAMP authorization represents only a snapshot of the security status of a cloud environment, and agencies will have to maintain a process for monitoring conditions and activities within the cloud to ensure that security is maintained at the required level. This will require technology to monitor and log activities and transparency on the part of the provider to enable the agency to use this data.
Ensuring ongoing security puts a premium on identity and access management to make it clear who is doing what on the system, and controlling what resources each person can access. For agencies, this should mean that systems support the Personal Identity Verification (PIV) card for civilian agencies and the Common Access Card (CAC) for Defense Department employees and contractors.
"Passwords aren't going anywhere any time soon," said Xceedium's Ammon, the PIV and CAC cards should provide the required second authentication factor.
Privileged control tools, such as those offered by Xceedium and other vendors, can help enable transparent access to a virtual environment for administrators and other managers while controlling access and logging activity.
"That is a challenge for the cloud environment," Ammon said, referring to the need to continuously discover and monitor resources in a large number of virtual machines. Managing and tying credentials at the front end to a constantly changing virtual environment offers one more new element of complexity in the cloud.